DHS bans Kaspersky on federal PCs over Russia fears [Updated]

The US Department of Homeland Security has issued a blanket ban on Kaspersky anti-virus software, informing all Federal Executive Branch departments and agencies that they need to stop using the apps. Citing concerns that the anti-virus, malware protection, and other software Kaspersky Labs offers has “elevated privileges” on government computers, the DHS says that its new directive is based on fears that the company’s Russian base might leave American data exposed.

One worst-case scenario the DHS outlines is that Russian intelligence agencies might work with Kaspersky officials to extract data from US systems, using the very software that US government agencies have installed to protect themselves. Even if that doesn’t occur, there are laws in Russia about data privacy which have given the DHS pause for thought. For instance, Russian intelligence agencies can “compel assistance” from Russian companies to hand over information that passes through their networks.

“Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems. The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.” DHS

Binding Operational Directive 17-01 takes steps to address that potential security risk. Any US government agency using Kaspersky products needs to identify them within the next 30 days, the DHS instructs, and then come up with a plan to remove them completely in the next 60 days. At 90 days from today, those agencies must start the removal process, unless otherwise directed by the DHS.

Kaspersky Labs has been invited to comment on the directive with a written response, the Department of Homeland Security said today. For it to consider overturning the decision, however, it would need to address the agencies fears, or “mitigate those concerns.” At time of publication, the software company is yet to make a public statement; we’ve requested comment from Kaspersky, and will update if and when that happens.

It’s not the first blow in recent months for the Russian business, mind. Just a few days ago, Best Buy pulled Kaspersky’s products from its shelves with claims that there were “too many unanswered questions” about the connections the company has with Russian intelligence services.

In response to previous accusations, Kaspersky had pointed out that it “has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts.” It had also offered to submit its software to independent tests, to verify it was free of backdoors and other security loopholes.

“Eugene Kaspersky, CEO and founder of Kaspersky Lab, has repeatedly offered to meet with government officials, testify before the U.S. Congress and provide the company’s source code for an official audit to help address any questions the U.S. government has about the company,” the company said in a statement earlier this month. It also pointed out that government and business users have the option to opt-out of sending data to the Kaspersky Security Network (KSN).

“In addition, business and government users may choose to install a local and private KSN center on their premises to make sure the data never leaves their facility,” the company highlighted. “Also, all data processed and/or transferred is robustly secured through encryption, digital certificates, segregated storage and strict data access policies.”

Update: Kaspersky Labs has provided us with the following statement, in which it again denies “inappropriate ties” with any government and says it “looks forward to working” with the Department of Homeland Security to demonstrate that:

“Given that Kaspersky Lab doesn’t have inappropriate ties with any government, the company is disappointed with the decision by the U.S. Department of Homeland Security (DHS), but also is grateful for the opportunity to provide additional information to the agency in order to confirm that these allegations are completely unfounded. No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company. Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyberthreats, but it does not have unethical ties or affiliations with any government, including Russia.

“In addition, more than 85 percent of its revenue comes from outside of Russia, which further demonstrates that working inappropriately with any government would be detrimental to the company’s bottom line. These ongoing accusations also ignore the fact that Kaspersky Lab has a 20-year history in the IT security industry of always abiding by the highest ethical business practices and trustworthy technology development.

“Regarding the Russian polices and laws being misinterpreted, the laws and tools in question are applicable to telecom companies and Internet Service Providers (ISPs), and contrary to the inaccurate reports, Kaspersky Lab is not subject to these laws or other government tools, including Russia’s System of Operative-Investigative Measures (SORM), since the company doesn’t provide communication services. Also, it’s important to note that the information received by the company, as well as traffic, is protected in accordance with legal requirements and stringent industry standards, including encryption, digital certificates and more.

“Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues. The company looks forward to working with DHS, as Kaspersky Lab ardently believes a deeper examination of the company will substantiate that these allegations are without merit.”